Verifying a Root Certificate

One thing you must do some day, is to try and verify a root certificate.

We’re installing a program in our systems that connect to the Swedish payment transfer service BankGirot. As a part in the installation/setup process, the program wants to add a custom root certificate to my Windows machine. This makes me feel somewhat queasy, as does putting my signature on a document I haven’t read. I therefore began the process of trying to validate it.

My first attempt was rather fruitless. I contacted a representative of BGC via email, sending him the certificate details and thumbprint, asking him to validate it. My inbox has been disturbingly quiet since then.

The next attempt was marginally better. I phoned their customer service number, and talked to a very nice lady, who unfortunately had no idea what I was talking about. After briefly discussing my electronic ID card and concluding that this card had nothing to do with my question, she transfered me to another lady, who was very professional, courteous, but equally clueless. (I have no complaint against any of these persons: I realize the slightly technical nature of my question.)

Next, I received an email from another representative who sent me a screen dump of the Windows front page of the VeriSign certificate used in their normal environment. I remain boundlessly thankful for this; but, as the root certificate I question is not signed by VeriSign (in fact, it is not signed at all), it didn’t help me very much. I am now eagerly awaiting the follow-up to my reply to this letter.

I also contacted the support division of the company who wrote the program trying to install this root certificate by support mail, and am now eagerly awaiting a reply from them as well.

What frightens me in all this, is that nowhere in my attempts to verify this root certificate, have I been met with the slightest level of understanding; and it leads me to believe that I may very well be the first person to attempt this. Which means that there may be possibly hundreds of companies, doing monetary transactions over the Internet, running with a completely unverified root certificate as the security foundation.

This entry was written by Mats Gefvert, posted on February 6, 2008 at 15:31, filed under Security. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never shared. Required fields are marked *

*
*